cert-manager · jetstack-bot · Oct 27, 2021 · Oct 16, 2021 · Oct 19, 2021 · Oct 19, 2021
diff --git a/content/en/docs/configuration/acme/http01/_index.md b/content/en/docs/configuration/acme/http01/_index.md
@@ -10,7 +10,7 @@ type: "docs"
 📌  This page focuses on solving ACME HTTP-01 challenges. If you are looking for
 how to automatically create Certificate resources by annotating Ingress or
 Gateway resources, see [Securing Ingress Resources](/docs/usage/ingress/) and
-[Securing Gateway Resources](/docs/usage/gateway/).
+[Securing Gateway Resources](../../../usage/gateway/).
 
 {{% /pageinfo %}}
 

diff --git a/content/en/docs/contributing/release-process.md b/content/en/docs/contributing/release-process.md
@@ -87,7 +87,7 @@ release:
 2. Install our [`cmrel`](https://github.com/cert-manager/release) CLI:
 
    ```sh
-   go install github.com/cert-manager/release/cmd/cmrel@master
+   go install github.com/cert-manager/release/cmd/cmrel@latest
    ```
 
 3. Clone the `cert-manager/release` repo:
@@ -302,8 +302,9 @@ page if a step is missing or if it is outdated.
         ```
 
         This step takes ~10 minutes. It will build all Docker images and create
-        all the manifest files and upload them to a storage bucket on Google
-        Cloud. These artifacts will be published and released in the next steps.
+        all the manifest files, sign Helm charts and upload everything to a storage
+        bucket on Google Cloud. These artifacts will then be published and released
+        in the next steps.
 
         <div class="pageinfo pageinfo-info"><p>
         🔰 Remember to keep open the terminal where you run <code>cmrel stage</code>. Its output will be used in the next step.
@@ -352,7 +353,7 @@ page if a step is missing or if it is outdated.
 
         ```sh
         # Must be run from the "cert-manager/release" repo folder.
-        cmrel publish --release-name "$CMREL_RELEASE_NAME"
+        cmrel publish --skip-signing --release-name "$CMREL_RELEASE_NAME"
         ```
 
         You can view the progress by clicking the Google Cloud Build URL in the
@@ -371,7 +372,8 @@ page if a step is missing or if it is outdated.
 
         ```bash
         # Must be run from the "cert-manager/release" repo folder.
-        cmrel publish --nomock --release-name "$CMREL_RELEASE_NAME"
+        # Skip signing while quay.io doesn't support cosign signatures
+        cmrel publish --nomock --skip-signing --release-name "$CMREL_RELEASE_NAME"
         ```
 
         <div class="pageinfo pageinfo-warning"><p>

diff --git a/content/en/docs/installation/code-signing.md b/content/en/docs/installation/code-signing.md
@@ -16,31 +16,19 @@ Signing keys required for verification are all available on this website, but th
 on the artifact you're trying to validate in the future. At the time of writing, all signing is done using the same underlying
 key.
 
-## Container Images / Cosign
-
-For all cert-manager versions from `v1.6.0` and later, container images are verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview).
-
-The simplest way to verify signatures is to download the public key and then pass it to the cosign CLI:
-
-```console
-curl -sSL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem > cert-manager-pubkey-2021-09-20.pem
-cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-controller
-# repeat for other images as desired
-```
-
-For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/).
-
-- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](/public-keys/cert-manager-pubkey-2021-09-20.pem)
-
 ## Helm Charts
 
+<!--
+TODO: uncomment this when cosign signing is in place. The warning doesn't have much value
+if we're not advertising the existence of other public keys.
 {{% alert title="Warning" color="warning" %}}
 Helm requires the use of PGP for verification; the key format is different.
 
-Trying to use the PEM encoded public keys above will fail.
+Trying to use PEM encoded public keys will fail.
 {{% /alert %}}
+-->
 
-For all cert-manager versions from `v1.6.0` and later, helm charts are signed and verifiable through the helm CLI.
+For all cert-manager versions from `v1.6.0` and later, Helm charts are signed and verifiable through the Helm CLI.
 
 The easiest way to verify is to grab the GPG keyring directly, which can then be passed into `helm verify` like so:
 
@@ -49,5 +37,28 @@ curl -sSL https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-10
 helm verify --keyring cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg /path/to/cert-manager-vx.y.z.tgz
 ```
 
-- ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](/public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc)
-- GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg)
+- ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](../../../public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc)
+- GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](../../../public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg)
+
+## Container Images / Cosign
+
+Soon, all container images which make up cert-manager will be verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview).
+
+Unfortunately, this isn't possible today because the images are hosted on `quay.io` which doesn't have the proper support for cosign signatures yet. When signatures are
+added, this section will contain details of how to verify them.
+
+<!--
+TODO: also uncomment the warning in the helm section!
+
+The simplest way to verify signatures is to download the public key and then pass it to the cosign CLI:
+
+```console
+curl -sSL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem > cert-manager-pubkey-2021-09-20.pem
+cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-controller
+# repeat for other images as desired
+```
+
+For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/).
+
+- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](../../../public-keys/cert-manager-pubkey-2021-09-20.pem)
+-->
diff --git a/content/en/docs/installation/helm.md b/content/en/docs/installation/helm.md
@@ -82,7 +82,7 @@ $ helm install \
   --create-namespace \
   --version v1.5.4 \
   --set prometheus.enabled=false \  # Example: disabling prometheus using a Helm parameter
-  --set webhook.timeoutSeconds=4s   # Example: changing the wehbook timeout using a Helm parameter
+  --set webhook.timeoutSeconds=4   # Example: changing the wehbook timeout using a Helm parameter
 ```
 
 Once you have deployed cert-manager, you can [verify](../verify/) the installation.

diff --git a/content/en/docs/usage/certificate.md b/content/en/docs/usage/certificate.md
@@ -219,15 +219,15 @@ certificate object is reissued under the following circumstances:
   kubectl cert-manager renew cert-1
   ```
   Note that the above command requires the [kubectl
-  cert-manager](/docs/usage/kubectl-plugin/#renew) plugin.
+  cert-manager](../kubectl-plugin/#renew) plugin.
 
 {{% pageinfo color="warning" %}}
 
 **❌** Deleting the Secret resource associated with a Certificate resource is
 **not a recommended solution** for manually rotating the private key. The
 recommended way to manually rotate the private key is to trigger the reissuance
 of the Certificate resource with the following command (requires the [`kubectl
-cert-manager`](/docs/usage/kubectl-plugin/#renew) plugin):
+cert-manager`](../kubectl-plugin/#renew) plugin):
 
 ```sh
 kubectl cert-manager renew cert-1

diff --git a/content/en/docs/usage/gateway.md b/content/en/docs/usage/gateway.md
@@ -29,7 +29,7 @@ the Ingress API.
 The Gateway resource holds the TLS configuration, as illustrated in the
 following diagram (source: https://gateway-api.sigs.k8s.io):
 
-![Gateway vs. HTTPRoute](/images/gateway-roles.png)
+![Gateway vs. HTTPRoute](../../../images/gateway-roles.png)
 
 Note that cert-manager only supports setting up the TLS configuration on the
 Gateway resource when the Gateway is configured to terminate the TLS connection.